Name: Cisco ASA Series
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

9-25

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 9 Network Address Translation (NAT)

Dynamic PAT

hostname(config)# nat (inside,outside) source dynamic INSIDE_NW interface

destination static TELNET_SVR TELNET_SVR service TELNET TELNET

hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool PAT_POOL

destination static SERVERS SERVERS

The following example configures interface PAT for inside network 192.168.1.0/24 when accessing

outside IPv6 Telnet server 2001:DB8::23, and Dynamic PAT using a PAT pool when accessing any server

on the 2001:DB8:AAAA::/96 network.

hostname(config)# object network INSIDE_NW

hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0

hostname(config)# object network PAT_POOL

hostname(config-network-object)# range 2001:DB8:AAAA::1 2001:DB8:AAAA::200

hostname(config)# object network TELNET_SVR

hostname(config-network-object)# host 2001:DB8::23

hostname(config)# object service TELNET

hostname(config-service-object)# service tcp destination eq 23

hostname(config)# object network SERVERS

hostname(config-network-object)# subnet 2001:DB8:AAAA::/96

hostname(config)# nat (inside,outside) source dynamic INSIDE_NW interface ipv6

destination static TELNET_SVR TELNET_SVR service TELNET TELNET

hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool PAT_POOL

destination static SERVERS SERVERS

Configure Per-Session PAT or Multi-Session PAT

By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. To use multi-session PAT

for traffic, you can configure per-session PAT rules: a permit rule uses per-session PAT, and a deny rule

uses multi-session PAT.

Per-session PAT improves the scalability of PAT and, for clustering, allows each member unit to own

PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit.

At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. This

reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state.

Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds.

For “hit-and-run” traffic, such as HTTP or HTTPS, per-session PAT can dramatically increase the

connection rate supported by one address. Without per-session PAT, the maximum connection rate for

one address for an IP protocol is approximately 2000 per second. With per-session PAT, the connection

rate for one address for an IP protocol is 65535/average-lifetime.

For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable

per-session PAT by creating a per-session deny rule. These rules are available starting with version

9.0(1).

Before You Begin

By default, the following rules are installed:

xlate per-session permit tcp any4 any4

xlate per-session permit tcp any4 any6

xlate per-session permit tcp any6 any4

xlate per-session permit tcp any6 any6

xlate per-session permit udp any4 any4 eq domain

Brand

Cisco

Model

ASA Series

Cisco ASA Series Configuration Guide

Table of Contents

Other manuals for Cisco ASA Series

Questions and Answers:

Cisco ASA Series Specifications

Related product manuals